auditor-lambda 0.2.6 → 0.2.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (125) hide show
  1. package/README.md +29 -7
  2. package/audit-code-wrapper-lib.mjs +1605 -330
  3. package/dist/adapters/eslint.js +9 -5
  4. package/dist/cli.d.ts +42 -1
  5. package/dist/cli.js +192 -80
  6. package/dist/coverage.d.ts +2 -2
  7. package/dist/coverage.js +5 -5
  8. package/dist/extractors/bucketing.d.ts +4 -0
  9. package/dist/extractors/bucketing.js +6 -2
  10. package/dist/extractors/disposition.d.ts +4 -0
  11. package/dist/extractors/disposition.js +15 -2
  12. package/dist/extractors/fileInventory.js +24 -28
  13. package/dist/extractors/flows.d.ts +5 -0
  14. package/dist/extractors/flows.js +25 -39
  15. package/dist/extractors/pathPatterns.d.ts +13 -3
  16. package/dist/extractors/pathPatterns.js +116 -53
  17. package/dist/extractors/risk.js +7 -1
  18. package/dist/extractors/surfaces.d.ts +4 -0
  19. package/dist/extractors/surfaces.js +11 -11
  20. package/dist/index.d.ts +1 -1
  21. package/dist/index.js +2 -1
  22. package/dist/io/artifacts.d.ts +59 -44
  23. package/dist/io/artifacts.js +80 -120
  24. package/dist/io/json.d.ts +2 -0
  25. package/dist/io/json.js +65 -19
  26. package/dist/io/runArtifacts.d.ts +2 -1
  27. package/dist/io/runArtifacts.js +44 -7
  28. package/dist/mcp/server.d.ts +1 -0
  29. package/dist/mcp/server.js +579 -0
  30. package/dist/orchestrator/advance.js +84 -56
  31. package/dist/orchestrator/dependencyMap.js +9 -13
  32. package/dist/orchestrator/executors.js +7 -2
  33. package/dist/orchestrator/flowCoverage.js +11 -5
  34. package/dist/orchestrator/flowPlanning.d.ts +7 -2
  35. package/dist/orchestrator/flowPlanning.js +46 -21
  36. package/dist/orchestrator/flowRequeue.js +29 -9
  37. package/dist/orchestrator/internalExecutors.d.ts +2 -1
  38. package/dist/orchestrator/internalExecutors.js +130 -69
  39. package/dist/orchestrator/planning.js +25 -3
  40. package/dist/orchestrator/requeue.js +20 -5
  41. package/dist/orchestrator/resultIngestion.js +5 -6
  42. package/dist/orchestrator/runtimeValidation.d.ts +7 -2
  43. package/dist/orchestrator/runtimeValidation.js +61 -49
  44. package/dist/orchestrator/runtimeValidationUpdate.js +2 -4
  45. package/dist/orchestrator/state.js +18 -13
  46. package/dist/orchestrator/taskBuilder.d.ts +4 -2
  47. package/dist/orchestrator/taskBuilder.js +153 -52
  48. package/dist/orchestrator/trivialAudit.js +8 -5
  49. package/dist/orchestrator/unitBuilder.d.ts +3 -1
  50. package/dist/orchestrator/unitBuilder.js +24 -16
  51. package/dist/prompts/renderWorkerPrompt.d.ts +1 -1
  52. package/dist/prompts/renderWorkerPrompt.js +19 -10
  53. package/dist/providers/claudeCodeProvider.d.ts +4 -1
  54. package/dist/providers/claudeCodeProvider.js +8 -5
  55. package/dist/providers/localSubprocessProvider.d.ts +4 -0
  56. package/dist/providers/localSubprocessProvider.js +7 -2
  57. package/dist/providers/spawnLoggedCommand.d.ts +9 -1
  58. package/dist/providers/spawnLoggedCommand.js +77 -29
  59. package/dist/reporting/mergeFindings.js +0 -11
  60. package/dist/reporting/synthesis.d.ts +26 -21
  61. package/dist/reporting/synthesis.js +97 -61
  62. package/dist/reporting/workBlocks.d.ts +12 -3
  63. package/dist/reporting/workBlocks.js +124 -70
  64. package/dist/supervisor/operatorHandoff.js +48 -18
  65. package/dist/supervisor/runLedger.d.ts +1 -1
  66. package/dist/supervisor/runLedger.js +112 -5
  67. package/dist/supervisor/sessionConfig.js +10 -10
  68. package/dist/types/externalAnalyzer.d.ts +3 -0
  69. package/dist/types/flowCoverage.d.ts +5 -1
  70. package/dist/types/flowCoverage.js +5 -1
  71. package/dist/types/flows.d.ts +6 -0
  72. package/dist/types/flows.js +1 -1
  73. package/dist/types/runLedger.d.ts +5 -1
  74. package/dist/types/runLedger.js +6 -1
  75. package/dist/types/runtimeValidation.d.ts +13 -3
  76. package/dist/types/runtimeValidation.js +16 -1
  77. package/dist/types/sessionConfig.d.ts +15 -2
  78. package/dist/types/sessionConfig.js +15 -1
  79. package/dist/types/surfaces.d.ts +4 -1
  80. package/dist/types/surfaces.js +1 -1
  81. package/dist/types/workerSession.d.ts +9 -0
  82. package/dist/types/workerSession.js +5 -1
  83. package/dist/types.d.ts +4 -7
  84. package/dist/validation/artifacts.d.ts +1 -1
  85. package/dist/validation/artifacts.js +33 -20
  86. package/dist/validation/auditResults.d.ts +2 -2
  87. package/dist/validation/auditResults.js +71 -114
  88. package/dist/validation/basic.d.ts +9 -1
  89. package/dist/validation/basic.js +40 -3
  90. package/dist/validation/sessionConfig.d.ts +4 -2
  91. package/dist/validation/sessionConfig.js +62 -15
  92. package/docs/agent-integrations.md +67 -38
  93. package/docs/artifacts.md +16 -56
  94. package/docs/bootstrap-install.md +60 -30
  95. package/docs/contract.md +22 -205
  96. package/docs/next-steps.md +76 -44
  97. package/docs/packaging.md +27 -3
  98. package/docs/product-direction.md +22 -0
  99. package/docs/production-launch-bar.md +4 -2
  100. package/docs/production-readiness.md +9 -5
  101. package/docs/releasing.md +98 -0
  102. package/docs/remediation-baseline.md +75 -0
  103. package/docs/run-flow.md +23 -11
  104. package/docs/session-config.md +50 -5
  105. package/docs/supervisor.md +7 -0
  106. package/docs/workflow-refactor-brief.md +177 -0
  107. package/package.json +4 -1
  108. package/schemas/audit_result.schema.json +8 -7
  109. package/schemas/audit_task.schema.json +3 -1
  110. package/schemas/coverage_matrix.schema.json +3 -3
  111. package/schemas/critical_flows.schema.json +6 -2
  112. package/schemas/file_disposition.schema.json +2 -2
  113. package/schemas/finding.schema.json +9 -4
  114. package/schemas/flow_coverage.schema.json +2 -2
  115. package/schemas/repo_manifest.schema.json +4 -4
  116. package/schemas/risk_register.schema.json +2 -2
  117. package/schemas/runtime_validation_report.schema.json +3 -3
  118. package/schemas/runtime_validation_tasks.schema.json +8 -2
  119. package/schemas/surface_manifest.schema.json +6 -3
  120. package/schemas/unit_manifest.schema.json +3 -2
  121. package/skills/audit-code/SKILL.md +16 -2
  122. package/skills/audit-code/audit-code.prompt.md +5 -8
  123. package/schemas/merged_findings.schema.json +0 -19
  124. package/schemas/root_cause_clusters.schema.json +0 -28
  125. package/schemas/synthesis_report.schema.json +0 -61
package/schemas/coverage_matrix.schema.json CHANGED
@@ -9,7 +9,7 @@
9
9
  "type": "array",
10
10
  "items": {
11
11
  "type": "object",
12
- "required": ["path", "classification_status", "audit_status"],
12
+ "required": ["path", "unit_ids", "classification_status", "audit_status", "required_lenses", "completed_lenses"],
13
13
  "properties": {
14
14
  "path": { "type": "string" },
15
15
  "unit_ids": {
@@ -39,9 +39,9 @@
39
39
  }
40
40
  }
41
41
  },
42
- "additionalProperties": true
42
+ "additionalProperties": false
43
43
  }
44
44
  }
45
45
  },
46
- "additionalProperties": true
46
+ "additionalProperties": false
47
47
  }
package/schemas/critical_flows.schema.json CHANGED
@@ -31,11 +31,15 @@
31
31
  "notes": {
32
32
  "type": "array",
33
33
  "items": { "type": "string" }
34
+ },
35
+ "confidence": {
36
+ "type": "string",
37
+ "enum": ["high", "low"]
34
38
  }
35
39
  },
36
- "additionalProperties": true
40
+ "additionalProperties": false
37
41
  }
38
42
  }
39
43
  },
40
- "additionalProperties": true
44
+ "additionalProperties": false
41
45
  }
package/schemas/file_disposition.schema.json CHANGED
@@ -25,9 +25,9 @@
25
25
  },
26
26
  "reason": { "type": "string" }
27
27
  },
28
- "additionalProperties": true
28
+ "additionalProperties": false
29
29
  }
30
30
  }
31
31
  },
32
- "additionalProperties": true
32
+ "additionalProperties": false
33
33
  }
package/schemas/finding.schema.json CHANGED
@@ -11,7 +11,8 @@
11
11
  "confidence",
12
12
  "lens",
13
13
  "affected_files",
14
- "summary"
14
+ "summary",
15
+ "evidence"
15
16
  ],
16
17
  "properties": {
17
18
  "id": { "type": "string" },
@@ -54,13 +55,14 @@
54
55
  "summary": { "type": "string" },
55
56
  "affected_files": {
56
57
  "type": "array",
58
+ "minItems": 1,
57
59
  "items": {
58
60
  "type": "object",
59
61
  "required": ["path"],
60
62
  "properties": {
61
63
  "path": { "type": "string" },
62
- "line_start": { "type": "integer" },
63
- "line_end": { "type": "integer" },
64
+ "line_start": { "type": "integer", "minimum": 1 },
65
+ "line_end": { "type": "integer", "minimum": 1 },
64
66
  "symbol": { "type": "string" }
65
67
  },
66
68
  "additionalProperties": false
@@ -70,17 +72,20 @@
70
72
  "likelihood": { "type": "string" },
71
73
  "evidence": {
72
74
  "type": "array",
75
+ "minItems": 1,
73
76
  "items": { "type": "string" }
74
77
  },
75
78
  "reproduction": {
76
79
  "type": "array",
80
+ "minItems": 1,
77
81
  "items": { "type": "string" }
78
82
  },
79
83
  "systemic": { "type": "boolean" },
80
84
  "related_findings": {
81
85
  "type": "array",
86
+ "minItems": 1,
82
87
  "items": { "type": "string" }
83
88
  }
84
89
  },
85
- "additionalProperties": true
90
+ "additionalProperties": false
86
91
  }
package/schemas/flow_coverage.schema.json CHANGED
@@ -45,9 +45,9 @@
45
45
  "items": { "type": "string" }
46
46
  }
47
47
  },
48
- "additionalProperties": true
48
+ "additionalProperties": false
49
49
  }
50
50
  }
51
51
  },
52
- "additionalProperties": true
52
+ "additionalProperties": false
53
53
  }
package/schemas/repo_manifest.schema.json CHANGED
@@ -13,7 +13,7 @@
13
13
  "root": { "type": "string" },
14
14
  "default_branch": { "type": "string" }
15
15
  },
16
- "additionalProperties": true
16
+ "additionalProperties": false
17
17
  },
18
18
  "generated_at": { "type": "string" },
19
19
  "files": {
@@ -24,14 +24,14 @@
24
24
  "properties": {
25
25
  "path": { "type": "string" },
26
26
  "language": { "type": "string" },
27
- "size_bytes": { "type": "integer" },
27
+ "size_bytes": { "type": "integer", "minimum": 0 },
28
28
  "hash": { "type": "string" },
29
29
  "excluded": { "type": "boolean" },
30
30
  "exclusion_reason": { "type": "string" }
31
31
  },
32
- "additionalProperties": true
32
+ "additionalProperties": false
33
33
  }
34
34
  }
35
35
  },
36
- "additionalProperties": true
36
+ "additionalProperties": false
37
37
  }
package/schemas/risk_register.schema.json CHANGED
@@ -26,9 +26,9 @@
26
26
  "items": { "type": "string" }
27
27
  }
28
28
  },
29
- "additionalProperties": true
29
+ "additionalProperties": false
30
30
  }
31
31
  }
32
32
  },
33
- "additionalProperties": true
33
+ "additionalProperties": false
34
34
  }
package/schemas/runtime_validation_report.schema.json CHANGED
@@ -14,7 +14,7 @@
14
14
  "task_id": { "type": "string" },
15
15
  "status": {
16
16
  "type": "string",
17
- "enum": ["pending", "confirmed", "not_confirmed", "inconclusive"]
17
+ "enum": ["pending", "confirmed", "not_confirmed", "inconclusive", "not_required"]
18
18
  },
19
19
  "summary": { "type": "string" },
20
20
  "evidence": {
@@ -26,9 +26,9 @@
26
26
  "items": { "type": "string" }
27
27
  }
28
28
  },
29
- "additionalProperties": true
29
+ "additionalProperties": false
30
30
  }
31
31
  }
32
32
  },
33
- "additionalProperties": true
33
+ "additionalProperties": false
34
34
  }
package/schemas/runtime_validation_tasks.schema.json CHANGED
@@ -18,10 +18,16 @@
18
18
  },
19
19
  "target_paths": {
20
20
  "type": "array",
21
+ "minItems": 1,
21
22
  "items": { "type": "string" }
22
23
  },
23
24
  "reason": { "type": "string" },
24
25
  "priority": { "type": "string", "enum": ["high", "medium", "low"] },
26
+ "command": {
27
+ "type": "array",
28
+ "minItems": 1,
29
+ "items": { "type": "string" }
30
+ },
25
31
  "suggested_checks": {
26
32
  "type": "array",
27
33
  "items": { "type": "string" }
@@ -31,9 +37,9 @@
31
37
  "items": { "type": "string" }
32
38
  }
33
39
  },
34
- "additionalProperties": true
40
+ "additionalProperties": false
35
41
  }
36
42
  }
37
43
  },
38
- "additionalProperties": true
44
+ "additionalProperties": false
39
45
  }
package/schemas/surface_manifest.schema.json CHANGED
@@ -17,7 +17,10 @@
17
17
  "enum": ["interface", "background"]
18
18
  },
19
19
  "entrypoint": { "type": "string" },
20
- "exposure": { "type": "string" },
20
+ "exposure": {
21
+ "type": "string",
22
+ "enum": ["network", "local"]
23
+ },
21
24
  "methods": {
22
25
  "type": "array",
23
26
  "items": { "type": "string" }
@@ -27,9 +30,9 @@
27
30
  "items": { "type": "string" }
28
31
  }
29
32
  },
30
- "additionalProperties": true
33
+ "additionalProperties": false
31
34
  }
32
35
  }
33
36
  },
34
- "additionalProperties": true
37
+ "additionalProperties": false
35
38
  }
package/schemas/unit_manifest.schema.json CHANGED
@@ -25,6 +25,7 @@
25
25
  },
26
26
  "required_lenses": {
27
27
  "type": "array",
28
+ "minItems": 1,
28
29
  "items": {
29
30
  "type": "string",
30
31
  "enum": ["correctness", "architecture", "maintainability", "security", "reliability", "performance", "data_integrity", "tests", "operability", "config_deployment"]
@@ -35,9 +36,9 @@
35
36
  "items": { "type": "string" }
36
37
  }
37
38
  },
38
- "additionalProperties": true
39
+ "additionalProperties": false
39
40
  }
40
41
  }
41
42
  },
42
- "additionalProperties": true
43
+ "additionalProperties": false
43
44
  }
package/skills/audit-code/SKILL.md CHANGED
@@ -17,12 +17,24 @@ Normal usage should:
17
17
  - avoid manual paths, provider flags, and model-selection arguments
18
18
  - advance the audit automatically until it completes or no further automatic progress is possible
19
19
 
20
+ Semantic review should stay with the active conversation agent by default.
21
+ If the host can delegate to subagents, that fan-out belongs to the host agent runtime rather than to repo-local backend provider settings.
22
+
20
23
  Bounded steps are a backend implementation detail, not the intended user experience.
21
24
 
22
25
  ## Embedded Prompt Payload
23
26
 
24
- For IDE-based LLMs (Antigravity, Copilot, Cursor), you can initialize the skill natively by importing the prompt payload defined in `audit-code.prompt.md`.
25
- This provides the LLM an exact instruction set required to natively intercept the state machine blocking phases securely and assume the responsibilities of the execution "worker".
27
+ The prompt payload in `audit-code.prompt.md` remains the canonical instruction asset.
28
+
29
+ The preferred setup path is:
30
+
31
+ ```bash
32
+ audit-code install
33
+ ```
34
+
35
+ That bootstrap writes repo-local host assets for Codex, Claude Desktop, OpenCode, VS Code, and Antigravity plus shared MCP setup guidance.
36
+
37
+ Use direct prompt import only when the target host still needs it after bootstrap.
26
38
 
27
39
  ## Repo-local fallback
28
40
 
@@ -49,6 +61,8 @@ For repo-local backend usage:
49
61
  - `provider: "auto"` is the explicit opt-in best-effort routing mode
50
62
  - explicit provider names remain available when an operator wants a specific backend
51
63
 
64
+ Those explicit provider names are backend compatibility bridges, not the intended default review owner.
65
+
52
66
  ## Development rule
53
67
 
54
68
  Prefer the skill-first conversational contract over the CLI-first backend shape.
package/skills/audit-code/audit-code.prompt.md CHANGED
@@ -57,14 +57,11 @@ Continue repeating Steps 1 through 5 as necessary. The state machine will iterat
57
57
  ## Step 7: Presentation
58
58
 
59
59
  Once the audit is officially complete, DO NOT run the orchestrator again.
60
- Instead, use your file reading tool to consume:
60
+ Instead, read the final deterministic report at:
61
61
 
62
- - `.audit-artifacts/synthesis_report.json`
62
+ - `audit-report.md`
63
63
 
64
- Finally, present the completed audit back to the user in this order:
64
+ Present the completed audit back to the user with the work blocks first, since
65
+ they are the primary remediation handoff units.
65
66
 
66
- 1. A **Work Blocks** section summarizing `synthesis_report.work_blocks` first, because those are the primary actionable remediation groups.
67
- 2. A polished **Markdown Summary Table** for the highest-signal merged findings.
68
- 3. A concise semantic **Root Cause Clusters** summary based on `synthesis_report.root_cause_clusters`.
69
-
70
- Wait for the user to ask you to begin resolving or patching the work blocks or clusters you discovered.
67
+ Wait for the user to ask you to begin resolving one or more work blocks.
package/schemas/merged_findings.schema.json DELETED
@@ -1,19 +0,0 @@
1
- {
2
- "$schema": "https://json-schema.org/draft/2020-12/schema",
3
- "$id": "merged_findings.schema.json",
4
- "title": "Merged Findings",
5
- "type": "object",
6
- "required": ["findings"],
7
- "$defs": {
8
- "Finding": {
9
- "$ref": "finding.schema.json"
10
- }
11
- },
12
- "properties": {
13
- "findings": {
14
- "type": "array",
15
- "items": { "$ref": "#/$defs/Finding" }
16
- }
17
- },
18
- "additionalProperties": false
19
- }
package/schemas/root_cause_clusters.schema.json DELETED
@@ -1,28 +0,0 @@
1
- {
2
- "$schema": "https://json-schema.org/draft/2020-12/schema",
3
- "$id": "root_cause_clusters.schema.json",
4
- "title": "Root Cause Clusters",
5
- "type": "object",
6
- "required": ["clusters"],
7
- "properties": {
8
- "clusters": {
9
- "type": "array",
10
- "items": {
11
- "type": "object",
12
- "required": ["id", "title", "finding_ids"],
13
- "properties": {
14
- "id": { "type": "string" },
15
- "title": { "type": "string" },
16
- "summary": { "type": "string" },
17
- "finding_ids": {
18
- "type": "array",
19
- "items": { "type": "string" },
20
- "minItems": 1
21
- }
22
- },
23
- "additionalProperties": true
24
- }
25
- }
26
- },
27
- "additionalProperties": true
28
- }
package/schemas/synthesis_report.schema.json DELETED
@@ -1,61 +0,0 @@
1
- {
2
- "$schema": "https://json-schema.org/draft/2020-12/schema",
3
- "$id": "synthesis_report.schema.json",
4
- "title": "Synthesis Report",
5
- "type": "object",
6
- "required": ["summary", "merged_findings", "root_cause_clusters"],
7
- "properties": {
8
- "summary": {
9
- "type": "object",
10
- "required": [
11
- "finding_count",
12
- "cluster_count",
13
- "runtime_validation_status_breakdown"
14
- ],
15
- "properties": {
16
- "finding_count": { "type": "integer" },
17
- "cluster_count": { "type": "integer" },
18
- "runtime_validation_status_breakdown": {
19
- "type": "object",
20
- "additionalProperties": { "type": "integer" }
21
- },
22
- "notes": {
23
- "type": "array",
24
- "items": { "type": "string" }
25
- }
26
- },
27
- "additionalProperties": true
28
- },
29
- "merged_findings": {
30
- "type": "array",
31
- "items": { "$ref": "finding.schema.json" }
32
- },
33
- "root_cause_clusters": {
34
- "type": "array",
35
- "items": {
36
- "$ref": "#/$defs/cluster"
37
- }
38
- }
39
- },
40
- "$defs": {
41
- "cluster": {
42
- "type": "object",
43
- "required": ["id", "title", "finding_ids"],
44
- "properties": {
45
- "id": { "type": "string" },
46
- "title": { "type": "string" },
47
- "summary": { "type": "string" },
48
- "finding_ids": {
49
- "type": "array",
50
- "items": { "type": "string" }
51
- },
52
- "recommended_actions": {
53
- "type": "array",
54
- "items": { "type": "string" }
55
- }
56
- },
57
- "additionalProperties": true
58
- }
59
- },
60
- "additionalProperties": true
61
- }